JP2023524715A - Identity provisioning across networks - Google Patents

Abstract

Exemplary operations include connecting Blockchain 1 to Blockchain 2 by the Identity Provisioning Node and Interoperable Identity Network (IIN) for Blockchain 1 and Blockchain 2 by the Identity Provisioning Node. ) as an instance of a self-sovereign identity (SSI) network and executing smart contracts to invoke IIN access control policies and block blockchain 1 attributes and permissions based on IIN access control policies. mapping to the attributes and permissions of chain 2 and generating valid and verifiable credentials (VCs) for the IINs in blockchain 1 and in blockchain 2 based on the mapped attributes and permissions including one or more

Description

A centralized database stores data in a single database (eg, a database server) and maintains it in one place. This location is often a central computer, such as a desktop central processing unit (CPU), a server CPU, or a mainframe computer. Information stored in a centralized database is typically accessible from different locations. Multiple users or client workstations can work simultaneously using a centralized database, eg, based on a client/server configuration. A centralized database is easier to manage, maintain and control, especially for security purposes, because of its single location. Within the centralized database, data redundancy is minimized because a single storage location for all data also means that only a particular set of data contains one primary record.

Viewed from a first aspect, the present invention provides a system including a processor and a memory, the processor for connecting blockchain 1 to blockchain 2 and for blockchain 1 and for blockchain 2. creating an interoperation identity network (IIN) as an instance of a self-sovereign identity (SSI) network and executing smart contracts to invoke IIN access control policies; Mapping attributes and permissions of blockchain 1 to attributes and permissions of blockchain 2 based on IIN access control policies, validating and validating IINs in blockchain 1 and in blockchain 2 based on the mapped attributes and permissions generating a verifiable credential (VC).

The present invention preferably provides a system in which the SSI network is configured to store decentralized identifiers (DIDs) between networks.

The present invention preferably provides a system in which the SSI network contains an INN-specific schema that defines the structure of the associated DID document.

The present invention provides instructions for a processor to run a smart contract and apply IIN access control policies to a blockchain 1 that is authorized to connect to blockchain 2 and invoke functions of blockchain 2. Preferably, a system is provided that allows the definition of entities to be further performed.

The present invention provides a system in which the instructions further cause the processor to execute a smart contract and verify VCs of IINs in Blockchain 1 and Blockchain 2 based on the DID of the SSI network. is preferred.

The present invention preferably provides a system wherein the instructions further cause the processor to use the IIN for identity provisioning between networks of multiple blockchain networks.

The present invention preferably provides a system wherein the instructions further cause the processor to execute smart contracts and verify identities and permissions of verifiable presentations against IIN access control policies.

Viewed from a second aspect, the present invention comprises connecting blockchain 1 to blockchain 2 by an identity provisioning node, and mutual connection for blockchain 1 and blockchain 2 by an identity provisioning node. Create an operational identity network (IIN) as an instance of a self-sovereign identity (SSI) network, execute smart contracts to invoke IIN access control policies, and block chain 1 based on IIN access control policies. to the attributes and permissions of Blockchain 2 and generate valid and verifiable credentials (VCs) for IINs in Blockchain 1 and in Blockchain 2 based on the mapped attributes and permissions A method is provided that includes one or more of:

The present invention preferably provides a method in which an SSI network is configured to store decentralized identifiers (DIDs) between networks.

The present invention preferably provides a method wherein the SSI network contains an INN-specific schema that defines the structure of the associated DID document.

The present invention executes smart contracts and applies IIN access control policies to define the entities of Blockchain 1 that are permitted to connect to Blockchain 2 and invoke Blockchain 2 functions. It is preferred to provide a method further comprising:

The present invention provides the method of claim 8, further comprising executing the smart contract and verifying the VCs of the IINs in Blockchain 1 and Blockchain 2 based on the DID of the SSI network. is preferred.

The present invention preferably provides a method further comprising using an IIN for inter-network identity provisioning of multiple blockchain networks.

The present invention preferably provides a method further comprising executing smart contracts and verifying identities and permissions of verifiable presentations against IIN access control policies.

Viewed from a third aspect, the present invention provides a non-transitory computer-readable medium containing instructions which, when read by a processor, cause the processor to convert blockchain 1 to blockchain. 2; creating Interoperable Identity Networks (IINs) for Blockchain 1 and Blockchain 2 as instances of Self-Sovereign Identity (SSI) networks; , invoke the IIN access control policy, map the attributes and permissions of blockchain 1 to the attributes and permissions of blockchain 2 based on the IIN access control policy, and based on the mapped attributes and permissions, within blockchain 1 and block chain Generating a valid and verifiable credential (VC) for the IIN in 2.

The present invention preferably provides a non-transitory computer readable medium on which an SSI network is configured to store a distributed identifier (DID) between networks.

The present invention provides a non-transitory computer-readable medium further comprising instructions that, when read by the processor, cause the processor to execute smart contracts and apply IIN access control policies. to define entities of Blockchain 1 that are permitted to connect to Blockchain 2 and invoke functions of Blockchain 2 .

The present invention provides a non-transitory computer-readable medium further comprising instructions that, when read by the processor, cause the processor to execute a smart contract and perform a smart contract based on the DID of the SSI network. verifying the VCs of the IINs in Blockchain 1 and Blockchain 2.

The present invention provides a non-transitory computer-readable medium further comprising instructions that, when read by the processor, provide the processor with an IIN to identify between networks of a plurality of blockchain networks. Use for information provisioning is preferred.

The present invention provides a non-transitory computer-readable medium further comprising instructions that, when read by the processor, cause the processor to execute a smart contract and to implement IIN access control policies. verifying the identity and authorization of the verifiable presentation.

1 is a network diagram illustrating a system including a database, according to an example embodiment; FIG. FIG. 2 illustrates an example blockchain architecture configuration, in accordance with an example embodiment; FIG. 4 illustrates a blockchain transaction flow, according to an example embodiment; 1 illustrates a permissioned network, in accordance with an example embodiment; FIG. FIG. 4 illustrates another permissioned network, in accordance with an example embodiment; FIG. 4 illustrates a permissionless network, in accordance with an example embodiment; FIG. 4 shows a flow diagram, in accordance with an example embodiment; FIG. 4 further illustrates a flow diagram, in accordance with an example embodiment; 1 illustrates an example system configured to perform one or more operations described herein, in accordance with an example embodiment; FIG. FIG. 2 illustrates another example system configured to perform one or more operations described herein, in accordance with an example embodiment; [0012] Figure 4 illustrates yet another example system configured to utilize smart contracts in accordance with an example embodiment; FIG. 10 illustrates yet another example system configured to utilize blockchain, in accordance with an example embodiment; FIG. 4 illustrates a process for a new block being added to a distributed ledger, according to an example embodiment; FIG. 4 illustrates the data content of a new data block, in accordance with an example embodiment; 1 illustrates a blockchain for digital content, according to an example embodiment; FIG. FIG. 4 illustrates a block that can represent the structure of a block within a blockchain, according to an example embodiment; FIG. 2 illustrates an example blockchain for storing machine learning (artificial intelligence) data, according to an example embodiment; FIG. 4 illustrates an example quantum secure blockchain, according to an example embodiment; 1 illustrates an example system that supports one or more of the example embodiments; FIG.

It will be readily understood that the components herein, as generally described and shown in the Figures herein, may be arranged and designed in a wide variety of different configurations. . Accordingly, the following detailed description of embodiments of at least one of the methods, apparatus, non-transitory computer-readable media, and systems depicted in the accompanying figures limits the scope of the claimed application. It is not intended as such and is merely representative of selected embodiments.

The features, structures, or characteristics described throughout this specification may be combined or deleted in any suitable manner in one or more embodiments. For example, use of the phrases "example embodiment," "some embodiments," or other similar language throughout this specification may refer to any particular feature, structure, or characteristic described in connection with the embodiments. may be included in at least one embodiment. Thus, appearances of the phrases "example embodiments," "in some embodiments," "in other embodiments," or other similar language throughout this specification do not necessarily all refer to the same group of embodiments. and the features, structures, or characteristics described may be combined or omitted in any suitable manner in one or more embodiments. Further, in each figure, any connections between elements may allow one-way and/or two-way communication, even if the connections shown are one-way or two-way arrows. Also, any device shown in the drawings can be a different device. For example, if a mobile device transmitting information is indicated, a wired device may also be used to transmit that information.

Additionally, although the term "message" may be used in describing embodiments, the present application may apply to many types of networks and data. Additionally, although specific types of connections, messages, and signaling may be illustrated in example embodiments, the application is not limited to specific types of connections, messages, and signaling.

Example embodiments provide methods, systems, components, non-transitory computer-readable media, devices, or networks that provide inter-network identity provisioning in a blockchain network, or combinations thereof.

In one embodiment, the present application utilizes a distributed database (such as a blockchain) that is a distributed storage system that includes multiple nodes that communicate with each other. Distributed databases include append-only, immutable data structures, similar to distributed ledgers, that can maintain records between mutually untrusted parties. Untrusted parties are referred to herein as peers or peer nodes. Each peer maintains a copy of the database record, and no single peer can change the database record without reaching agreement among the distributed peers. For example, peers may run a consensus protocol to validate blockchain-stored transactions, group those stored transactions into blocks, and build hash chains on the blocks. This process forms a ledger by ordering the stored transactions as needed for consistency. In various embodiments, permissioned and/or permissionless blockchains may be used. Anyone can join a public or permissionless blockchain without specific identification. Public blockchains can include native cryptocurrencies and use consensus based on various protocols such as Proof of Work (PoW). Permissioned blockchain databases, on the other hand, allow secure mutual interaction within a group of entities that share a common goal but do not fully trust each other, such as companies that exchange funds, goods, information, etc. provide action.

The present application may utilize blockchain to operate any programmable logic, called "smart contracts" or "chaincode", aligned with the distributed storage scheme. In some cases, there may be special chaincodes for administrative functions and parameters called system chaincodes. Applications can further take advantage of smart contracts, trusted distributed applications that leverage the tamper-proof properties of blockchain databases and the underlying agreements between nodes called signatures or signing policies. Blockchain transactions associated with this application can be "signed" before being committed to the blockchain, while unsigned transactions are ignored. A signing policy allows a chaincode to specify the signers of a transaction in the form of a set of peer nodes required for signing. When a client sends a transaction to the peers specified in the signing policy, a transaction is performed to validate the transaction. After validation, the transactions move to the ordering phase, where a consensus protocol is used to produce an ordered sequence of signed transactions grouped into blocks.

The present application can make use of nodes, which are the communication entities of the blockchain system. A "node" may perform a logical function in the sense that multiple nodes of different types may run on the same physical server. Nodes are grouped within trusted domains and associated with logical entities that control them in various ways. Nodes may include various types, such as clients or submitting client nodes that submit transaction calls to signers (e.g., peers) and broadcast transaction proposals to ordering services (e.g., ordering nodes). Another type of node is a peer node that can receive transactions submitted by clients, commit transactions, and maintain state and copies of the ledger of blockchain transactions. A peer may also have the role of signer, but this is not a requirement. An ordering service node or ordering node is a node that performs communication services for all nodes, and when committing a transaction, and the world state of the blockchain (usually containing control and configuration information). Enforcing delivery guarantees, such as broadcasting to each of the peer nodes in the system, when modifying an initial blockchain transaction (another name for an initial blockchain transaction).

The present application may utilize a ledger, which is an ordered, tamper-proof record of all state transitions of the blockchain. State transitions may result from chaincode invocations (ie, transactions) submitted by participating parties (eg, client nodes, ordering nodes, signer nodes, peer nodes, etc.). Each participating party (such as a peer node) can maintain a copy of the ledger. A transaction may result in a set of key-value pairs of assets being committed to the ledger as one or more operands (create, update, delete, etc.). A ledger contains a blockchain (also called a chain) that is used to store immutable ordered records in blocks. The ledger also contains a state database that maintains the current state of the blockchain.

The present application can make use of chains, which are transaction logs structured as hash-linked blocks, each block containing a sequence of N transactions, where N is one or more. The block header contains the hash of the block's transaction and the hash of the previous block's header. In this way, all transactions in the ledger may be ordered and cryptographically linked together. Therefore, the ledger data cannot be tampered with without breaking the hash link. The hash of the most recently added blockchain block represents all previous transactions on the chain, allowing us to ensure that all peer nodes are in a consistent and trusted state. The chain may be stored in a peer node's file system (i.e., local, attached storage, cloud, etc.) that efficiently supports the append-only nature of blockchain workloads.

The current state of the immutable ledger represents the latest values of all keys contained in the chain's transaction log. The current state is sometimes called the world state because it represents the most recent key value known to the channel. Chaincode calls perform transactions against data in the current state of the ledger. The latest key values may be stored in the state database to make their chaincode interactions efficient. The state database may simply be an indexed view into the chain's transaction log, and thus can be regenerated from the chain at any time. The state database may be automatically restored (and generated if necessary) at peer node startup and before any transactions are received.

Some of the advantages of the present solutions described and shown herein include methods and systems for inter-network identity provisioning in blockchain networks. Example embodiments solve time and trust issues by extending database features such as immutability, digital signatures, and the existence of a single source of truth. Example embodiments provide a solution for cross-network identity provisioning in blockchain networks. Blockchain networks can be homogeneous based on asset types and rules governing assets based on smart contracts.

Blockchains are similar to traditional databases in that blockchains are decentralized, immutable, and secure storage rather than central storage, and each node must share changes to records in storage. is different from Immutable ledgers, smart contracts, security, confidentiality, decentralization, consensus, signing, and accessibility are some of the properties that are unique to blockchains and useful for implementing them. Although not limited to these, these properties are further described herein. According to various aspects, a blockchain due to its unique immutable accountability, security, confidentiality, permissioned decentralization, smart contract enablement, signing, and accessibility • A system is implemented for inter-network identity provisioning in the network. In particular, blockchain ledger data is immutable and provides an efficient method for inter-network identity provisioning in a blockchain network. Alternatively, the use of cryptography in blockchain provides security and builds trust. Smart contracts manage the state of assets and complete their lifecycles. An exemplary blockchain is decentralized and permissioned. Thus, each end user may have a copy of the end user's own ledger for access. Multiple organizations (and peers) may be incorporated into a blockchain network. A primary organization may act as a signing peer to validate smart contract execution results, read sets, and write sets. In other words, the blockchain-specific features provide an efficient implementation of a method for inter-network identity provisioning in a blockchain network.

One advantage of example embodiments is to improve the functionality of computing systems by implementing a method for inter-network identity provisioning in a blockchain network. Example embodiments may span multiple network identity systems. This improves trust and provides transparency without giving up privacy and confidentiality in a series of interconnected systems. Computing systems can leverage blockchain technology by providing access to capabilities such as distributed ledgers, peers, cryptography, MSPs, event processing, etc. via the blockchain systems described herein. Functions may be performed for inter-network identity provisioning in a network. Blockchain also makes it possible to create business networks and incorporate any user or organization to participate. Blockchain is therefore more than just a database. Blockchain has the ability to create a business network of users and embedded/non-embedded organizations to work together to execute service processes in the form of smart contracts.

Example embodiments provide numerous advantages over conventional databases. For example, embodiments provide blockchain-specific immutable accountability, security, confidentiality, permissioned decentralization, smart contract enablement, signing, and accessibility inherent in blockchains. .

On the other hand, it does not involve all parties in a business network, does not create reliable cooperation, and does not provide efficient storage of digital assets, so conventional databases are used to implement example embodiments. It is not possible. Conventional databases do not provide tamper-proof storage or protection of stored digital assets. Therefore, inter-network identity provisioning in a blockchain network is built on top of DIDs created and utilized to use fungible assets (identities) within the blockchain network. The proposed method for identity provisioning of M cannot be implemented in conventional databases. While all blockchain technology frameworks have utilized databases to store record/transaction data and transaction logs, databases sometimes only provide a storage mechanism. Exemplary embodiments provide blockchains with immutable records and the ability to follow transactions/trust, ownership elements of digital assets that contain fungible assets, and identity information that certifies and defines ownership of assets. as a transactional system with the use of non-fungible assets to A database is inadequate to achieve all of these within a system.

On the other hand, if a conventional database were used to implement the example embodiments, the example embodiments would suffer from unnecessary drawbacks, such as search capabilities, lack of security, and slower transaction speeds. Moreover, automated methods for cross-network identity provisioning in blockchain networks would simply not be possible.

A centralized database has a single point of failure. In particular, if fault tolerance is not considered and a failure (e.g., failure of hardware, firmware, or software, or a combination thereof) occurs, all data in the database will be lost and all user work will be lost. interrupted. In addition, centralized databases rely heavily on network connectivity. As a result, when the connection slows down, the time required for each database access increases. Furthermore, bottlenecks can occur when centralized database traffic increases due to a single location. Moreover, a centralized database maintains only one copy of the data. As a result, multiple devices cannot access the same piece of data at the same time without causing serious problems or risks of overwriting the stored data. Furthermore, because database storage systems have minimal or no data redundancy, it is very difficult to retrieve suddenly lost data other than manually retrieving it from backup storage. It can be difficult.

As such, a blockchain-based solution is needed that can serve as an efficient tool for identity provisioning across networks. In blockchain, the identity of participants is usually based on certificates. However, using certificates in a cross-network environment can be difficult and inefficient. Distribution of cryptographic material across multiple networks can be dangerous and expensive.

Accordingly, example embodiments provide one or more solutions for provisioning in blockchain networks.

Example embodiments also change the way data can be stored within the block structure of the blockchain. For example, digital asset data can be securely stored within specific portions of data blocks (ie, within headers, data segments, or metadata). By storing digital asset data within blockchain data blocks, digital asset data can be added to an immutable blockchain ledger via a hashlinked chain of blocks. In some embodiments, data blocks differ from traditional data blocks by the fact that personal data associated with digital assets is not stored with the assets within the traditional block structure of the blockchain. good. By removing personal data associated with digital assets, blockchain can provide the benefits of anonymity based on immutable accountability and security.

According to example embodiments, methods and systems are provided for cross-network identity provisioning in a blockchain network.

In a network-to-network environment, blockchain networks need to interoperate for the exchange of assets and information. This interoperability will require operation between trusted networks and will rely on the sharing of identities and certificates between networks. Because manual ad-hoc sharing is inefficient and difficult to maintain, example embodiments may provide an extensible mechanism for universal interoperability. As previously mentioned, distribution of cryptographic material across multiple networks can be difficult and dangerous. To trust a user of another network, identities, trust trees, attributes, etc. must be available across multiple networks. Doing this may require periodic distribution of updated information (ie, new authoritative entities, changes, CRLs, etc.). And, regular synchronization of files/records is required, which may not be feasible in real world situations. Network operators/stakeholders need fine-grained control over such information sharing.

Example embodiments may provide linkability, ie maintaining confidentiality across multiple networks with certificates. In one embodiment, a self-sovereign identity (SSI) model is provided. According to one embodiment, a solution based on the (DID)/SSI W3C standard for identity management between networks is provided. The key concepts of DID/SSI are:

DID (Distributed Identifier, Globally Unique Identifier) - ie resolvable and verifiable based on URN.

DID Infrastructure Model - ie a global key-value pair database consisting of all DID blockchains, networks, etc.

The value of DID is Document.

Verifiable Credentials (VC) - Extends the DID with a verifiable set of claims that provides an immediate indication of tampering made by the issuer.

Verifiable Presentation (VP) - Derived from a VC to present attributes of a specific credential shared with a specific verifier. A VP may contain data generated from the original credentials (ie, zero-knowledge proofs).

Verifiable Data Registry - Mediates the creation and verification of identities, credential schemas, etc.

Hyperledger Indy - A specific implementation of its own blockchain that includes a suite of wallets and agents that facilitate the exchange of VC and VP information.

According to example embodiments, interoperability between networks using the SSI model may be implemented. Mechanisms are provided to integrate DID/SSI mechanisms and achieve identity creation and verification in blockchain networks. As an example, in the context of Hyperledger Fabric, this mechanism is a new breed of MSP that enables the use of identities and permissions across multiple networks. Network relations are implemented as follows.

Each blockchain network determines who and how can interact with it via interoperability policies. Interoperability of identity information between network A and remote network B may be implemented. Network A selects an external entity (eg, network B as a whole, org_1, or some other entity) that it trusts to issue authentication information. This selection includes decisions regarding authorization/access control. A remote client accessing network A (eg, a client on network B) acts as a credential owner. An entity trusted by network A (eg, org_1 in network B) acts as an issuer of authentication information to the owner. Network A acts as a credential verifier and decides, via its native consensus protocol, whether to allow a remote client to invoke a particular operation. According to example embodiments, mechanisms are provided to facilitate the exchange of information described above. The identity mechanism between networks may use the Interoperable Identity Network (IIN) architecture. The IIN may use an instance of an SSI network (eg, Indy, SSI Fabric, Sovrin, etc.) to store DIDs between networks. A provision of the W3C standard provides for an IIN to provide a verifiable data registry. The IIN may store DIDs that are used to exchange authentication information in a network-to-network environment. An SSI network may include an IIN-specific schema that represents the structure of the associated DID document. This schema may contain generic definitions of attributes associated with VCs (essential for mapping attributes between networks).

Multiple blockchains/ledgers/channels can be connected to any IIN. The IIN may be operated as a private or public service (eg, service provider, consortium, open community, etc.). A ledger/channel may define an IIN access control policy. This policy may define which external entities are allowed to connect to and call the function. In other words, this policy may define entities that are trusted as credential issuers. This policy may define an external mapping of local attributes/permissions. This policy may be stored in a ledger and may be accessible by all peers. A ledger may be connected to any number of IINs. IIN agent nodes may be used by network/ledger components/peers to interact with the IIN. IIN access control policies may determine which IINs agents may connect to. An IIN agent may be able to access the IIN, interact directly with the IIN, or mediate other components' access to the IIN. An IIN agent may retrieve the DID from the IIN and store the DID in the IIN. IIN agents may exchange authentication information with other agents (using the IIN) on demand. IIN agents may facilitate the flow of VP and VC information required for authentication and authorization.

IIN identity providers may be used by peers and other components to provide authentication and authorization. In one embodiment, the IIN Identity Provider is an IIN. May be implemented as an MSP. IIN identity providers may use IIN agents and access control policies to perform authentication and authorization functions. The IIN identity provider may validate the identity and permissions of verifiable presentations against policies. Note that relay components may facilitate the flow of messages in an inter-network environment outside of the IIN mechanism.

In order for the user to participate in the flow of messages between networks, an IIN verifiable credential (VC) is issued to the user and stored in a local wallet (eg, the client's software wallet). VC issuance may be managed per stakeholder/organization (ie, by CA within Fabric). The issuance of VCs is controlled by the IIN issuance policy (which is specific to each certification authority). This policy may define to which identities the IIN's VCs are issued and what attributes are included. This policy defines the mapping of local attributes to attributes of the IIN's schema. Publishing may be implemented as an automatic and transparent function of the IIN agent. For example, if network identification information is issued to the user (eg, a certificate from Fabric's CA), this issuance may be performed automatically by the IIN agent. A certification authority may issue a single VC with selected attributes. VCs may also be created at any other time, such as by an operator/administrator. VCs may be received and used by users.

According to one example embodiment, issuing and using verifiable presentations may be implemented as a function of an IIN agent. Before a user sends a message to a remote network, the user may generate a verifiable presentation for a particular remote network. A user may construct a certificate and send this certificate along with a message to a remote network. A verification protocol may be implemented as a function of the IIN agent. When the network receives a remote message, the agent may verify the attached certificate based on access control policies. A validation protocol may define whether the identity is allowed to access the network, ie whether it was issued by a trusted issuer. A verification protocol may define whether the identity has permission (ie, a mapping of attributes to roles/permissions) to invoke the requested function. For example, messages destined for local and remote networks are signed with local authentication information and a VP-derived certificate is added. This message may be routed to the remote network by a relay device. The remote network authenticates using an IIN identity provider (eg, IIN.MSP) and an IIN agent and verifies authorization based on IIN access control policies.

According to another example embodiment, a distributed identity management service for blockchain may be provided. A system may be implemented that allows the integration of DID/SSI as a source of identity and authorization into blockchain settings across networks. The required set of components may include the IIN Network, IIN Agents, IIN Policies, and IIN Identity Providers that facilitate the creation, exchange, and verification of identities and permissions between blockchain networks. The process of creating a valid DID/SSI-IIN VC in a blockchain network may be implemented as follows. This creation is controlled by the IIN issuance policy. This creation may include a mapping mechanism for access control attributes. The process of DID/SSI-IIN VC verification in a blockchain network may be as follows. This verification is controlled by the IIN access control policy. This validation determines the ability to invoke certain smart contract functions. This verification may be based on the authority assigned to the issuer and the attributes contained in the VC.

FIG. 1 shows a logical network diagram for inter-network identity provisioning in a blockchain network, according to an example embodiment.

Referring to FIG. 1, exemplary network 100 includes identity provisioning node 102 . Identity provisioning node 102 may be connected to blockchain 106 having ledger 108 and blockchain 107 having ledger 109 . An identity provisioning node may connect blockchains 106 and 107 via IIN 105 . Although this example details only one identity provisioning node 102 , multiple such nodes may be connected to blockchains 106 and 107 . that the identity provisioning node 102 may include additional components and some of the components described herein without departing from the scope of the identity provisioning node 102 disclosed herein; may be removed and/or changed. The identity provisioning node 102 may be a computing device or server computer, etc., and may include a semiconductor-based microprocessor, central processing unit (CPU), application specific integrated circuit (ASIC). circuit), a field-programmable gate array (FPGA), or another hardware device, or a combination thereof. Although a single processor 104 is shown, it is understood that the identity provisioning node 102 may include multiple processors, multiple cores, etc. without departing from the scope of the identity provisioning node 102 system. , should be understood. Note that multiple blockchains may be connected by the IIN 105 .

Identity provisioning node 102 may include non-transitory computer-readable media 112 that may store machine-readable instructions executable by processor 104 . Examples of machine-readable instructions are shown as 114-118 and are further described below. Examples of non-transitory computer-readable media 112 include electronic, magnetic, optical, or other physical storage devices that contain or store executable instructions. For example, the non-transitory computer readable medium 112 may include random access memory (RAM), electrically erasable programmable read-only memory (EEPROM), hard disk, optical disk. , or other type of storage device.

Processor 104 may execute machine-readable instructions 114 to connect Blockchain 1 106 to Blockchain 2 107 . A blockchain may be configured to use one or more smart contracts to manage transactions for multiple participating nodes.

Processor 104 may execute machine readable instructions 116 to create Interoperable Identity Network (IIN) 105 for Blockchain 1 106 and Blockchain 2 107 as instances of Self-Sovereign Identity (SSI) networks. . Processor 104 executes machine readable instructions 118 and executes smart contracts to invoke the access control policies of IIN 105 and apply attributes and permissions of Blockchain 1 106 to Blockchain 2 based on the access control policies of IIN 105 . 107 attributes and permissions, and generating valid and verifiable credentials (VCs) for IINs 105 in Blockchain 1 106 and Blockchain 2 107 based on the mapped attributes and permissions. Execute.

FIG. 2A shows a configuration 200 of a blockchain architecture, according to an example embodiment. Referring to FIG. 2A, a blockchain architecture 200 may include certain blockchain elements (eg, a group of blockchain nodes 202). Blockchain node 202 may include one or more nodes 204-210 (these four nodes are shown by way of example only). These nodes participate in multiple activities such as blockchain transaction addition and validation processes (consensus). One or more of blockchain nodes 204 - 210 may sign transactions based on a signing policy and may provide an ordering service for all blockchain nodes in architecture 200 . A blockchain node initiates a blockchain authentication and may attempt to write to the blockchain's immutable ledger stored in the blockchain layer 216, and a copy of this write is transferred to the underlying physical infrastructure 214. may also be stored. Blockchain constructs are linked to application programming interfaces (APIs) 222 for accessing and executing stored programs/application code 220 (e.g., chaincode, smart contracts, etc.). may include one or more applications 224, and the program/application code 220 can be created according to customized configurations requested by participants, maintain their own state, and maintain their own assets. can control and receive external information. Blockchain constructs can be installed on all blockchain nodes 204-210 by deploying them as transactions and adding them to the distributed ledger.

Blockchain base or platform 212 includes various layers of blockchain data and services (e.g., cryptographic trust services, virtual execution environments, etc.) and attempts to receive and store new transactions and access data entries. and the underlying physical computer infrastructure that may be used to provide access to auditors. Blockchain layer 216 may expose interfaces that provide access to the virtual execution environment required to process program code and participate in physical infrastructure 214 . Cryptographic trust services 218 may be used to validate transactions, such as asset exchange transactions, and keep information private.

The configuration of the blockchain architecture of FIG. 2A may process and execute program/application code 220 via one or more interfaces and provided services exposed by blockchain platform 212. Code 220 may control blockchain assets. For example, code 220 can store and transfer data and may be executed by nodes 204-210 in the form of associated chaincode or other code elements subject to execution, including smart contracts and conditions. . As a non-limiting example, smart contracts may be created to implement reminders, updates or changes, other notifications subject to updates, or a combination thereof. The smart contract itself can be used to identify the entitlement and access requirements and rules associated with the use of the ledger. For example, one or more processing entities (e.g., virtual machines) included in blockchain layer 216 may process blockchain 1 attributes and permissions and blockchain 2 attributes and permissions information 226 ( ie, may be mapped). Results 228 may include valid and verifiable credentials (VCs) for IINs in Blockchain 1 and Blockchain 2 based on the mapped attributes and permissions.

Physical infrastructure 214 may be utilized to retrieve any of the data or information described herein.

Using high-level applications and programming languages, smart contracts may be created and then written to blocks within the blockchain. A smart contract may include executable code that is registered, stored, and/or replicated on a blockchain (eg, a distributed network of blockchain peers). A transaction is an execution of smart contract code that may be executed in response to a condition associated with the smart contract being satisfied. Execution of smart contracts may trigger trusted changes to the state of the digital blockchain ledger. Changes to the blockchain ledger caused by smart contract execution may be automatically replicated across a distributed network of blockchain peers via one or more consensus protocols.

A smart contract may write data to the blockchain in the form of key-value pairs. Additionally, the smart contract code can read the values stored on the blockchain and use them in the operation of the application. Smart contract code can write the output of various logical operations to the blockchain. This code may be used to create temporary data structures within a virtual machine or other computing platform. Data written to the blockchain can be made public and/or kept private and encrypted. Temporary data used/generated by the smart contract is kept in memory by the provided execution environment and deleted after the required data for the blockchain is identified.

A chaincode may contain code interpretations of smart contracts, along with additional functionality. As described herein, a chaincode may be program code deployed on a computing network and executed together by a chain validator to validate validity during the consensus process. It is confirmed. The chaincode receives the hash and retrieves from the blockchain the hash associated with the previously stored data template created using the feature extraction function. If the hash of the hash identifier and the hash created from the stored identifier template data match, the chaincode sends the authorization key to the requested service. The chaincode may write data associated with cryptographic details to the blockchain.

FIG. 2B illustrates an example blockchain transaction flow 250 between nodes of a blockchain, according to an example embodiment. Referring to FIG. 2B, a transaction flow may include a transaction proposal 291 sent by application client node 260 to signing peer node 281 . The signing peer 281 may verify the client's signature and execute the chaincode function to initiate the transaction. Outputs may include the results of the chaincode, the set of key/value versions read into the chaincode (read set), and the key/value set written into the chaincode (write set). Proposal response 292 is returned to client 260, along with a signature if approved. Client 260 packages the signature into transaction payload 293 and broadcasts it to ordering service node 284 . The ordering service node 284 then distributes the ordered transactions as blocks on the channel to all peers 281-283. Prior to committing to the blockchain, each peer 281-283 may validate the transaction. For example, the peer may check the signing policy to ensure that the correct assignment of the specified peer signed the result and authenticated the signature on the payload 293 of the transaction.

Referring again to FIG. 2B, client node 260 initiates transaction 291 by constructing and sending a request to peer node 281 (the signer). Clients 260 may include applications that utilize supported software development kits (SDKs) that utilize available APIs to generate transaction proposals. The proposal is a request to call a chaincode function so that data can be read from the ledger and/or written to the ledger (i.e. writing new key-value pairs for the asset). is. The SDK acts as a shim for packaging transaction proposals into well-designed forms (e.g., protocol buffers over remote procedure calls (RPCs)) and provides client cryptographic authentication information. May receive and generate a unique signature for the transaction proposal.

In response, the signing peer node 281 determines that (a) the transaction proposal is well-formed, (b) the transaction has not already been submitted in the past (replay attack protection), and (c) the signature is valid. and (d) that the submitter (in the example, client 260) has been given the appropriate permissions to perform the proposed operation on that channel. Signing peer node 281 may receive the input of the transaction proposal as an argument to the chaincode function to be called. The chaincode is then executed against the current state database and produces a transaction result containing response values, read sets, and write sets. However, at this point, no updates are made to the ledger. At 292, the set of values, along with the signing peer node's 281 signature, is returned as a proposal response 292 to the client's 260 SDK, which parses the payload for use by the application.

In response, the client 260 application checks/verifies the signing peer's signature and compares the proposal responses to determine if the proposal responses are the same. If the chaincode simply queries the ledger, the application inspects the query response and typically does not submit the transaction to the ordering node service 284 . When a client application intends to submit a transaction to the ordering node service 284 to update the ledger, the application must check whether the specified signature policy has been met (i.e., whether the transaction requires has signed the transaction). Here, a client may include only one of the multiple participants in the transaction. In this case, each client may contain its own signing node, and each signing node is required to sign the transaction. The architecture ensures that even if an application chooses not to inspect responses or otherwise forward unsigned transactions, the signature policy is still enforced by the peer and maintained during the commit validation phase. make it

After successful verification, in step 293 client 260 packages the signatures into a transaction and broadcasts the transaction proposal and transaction response in a transaction message to ordering node 284 . A transaction may include a read/write set, a signing peer's signature, and a channel ID. Ordering node 284 does not need to examine the entire contents of a transaction to perform its actions; instead, ordering node 284 simply receives transactions from all channels in the network and chronologically chronologically channel by channel. , and create a block of transactions for each channel.

Blocks of transactions are distributed from ordering node 284 to all peer nodes 281-283 on the channel. In a block to ensure that any signature policy has been satisfied, and to ensure that there have been no changes to the state of the ledger with respect to the readset variables since the readset was generated by the execution of the transaction. transaction 294 is validated. Transactions within a block are tagged as valid or invalid. Additionally, at step 295, each peer node 281-283 adds a block to the channel's chain and for each valid transaction a write set is committed to the current state database. Events are emitted to notify the client application that a transaction (call) has been immutably added to the chain, and to notify whether the transaction has been validated or invalidated. be done.

FIG. 3A illustrates an example permissioned blockchain network 300, which features a decentralized, decentralized, peer-to-peer architecture. In this example, blockchain user 302 may initiate a transaction to permissioned blockchain 304 . In this example, a transaction can be a deploy, a call, or a query, and can be issued through a client-side application utilizing the SDK, directly through an API, or the like. The network may provide access to regulators 306, such as auditors. Blockchain network operator 308 manages member permissions, such as registering regulators 306 as 'auditors' and blockchain users 302 as 'clients'. Auditors can be restricted to querying only the ledger, while clients can be authorized to deploy, invoke, and query specific types of chaincode.

A blockchain developer 310 can write chaincode and client-side applications. Blockchain developers 310 can directly deploy chaincode to the network through the interface. To include authentication information from traditional data sources 312 in the chaincode, developers 310 can access the data using an out-of-band connection. In this example, blockchain user 302 connects to permissioned blockchain 304 through peer node 314 . Peer node 314 obtains user registration and transaction credentials from certificate authority 316, which manages user roles and permissions, before initiating any transactions. In some cases, blockchain users must possess their digital certificates in order to conduct transactions on permissioned blockchain 304 . On the other hand, users seeking to utilize chaincode may need to verify their credentials on the legacy data source 312 . To verify user authorization, chaincode can use an out-of-band connection to this data via the conventional processing platform 318 .

FIG. 3B shows another example of a permissioned blockchain network 320, which features a decentralized, decentralized, peer-to-peer architecture. In this example, blockchain user 322 may submit a transaction to permissioned blockchain 324 . In this example, a transaction can be a deploy, a call, or a query, and can be issued through a client-side application utilizing the SDK, directly through an API, or the like. The network may provide access to regulators 326, such as auditors. Blockchain network operator 328 manages member permissions, such as registering regulators 326 as 'auditors' and blockchain users 322 as 'clients'. Auditors can be restricted to querying only the ledger, while clients can be authorized to deploy, invoke, and query specific types of chaincode.

A blockchain developer 330 writes chaincode and client-side applications. Blockchain developers 330 can directly deploy chaincode to the network through the interface. To include authentication information from legacy data sources 332 in the chaincode, developers 330 can access the data using an out-of-band connection. In this example, blockchain user 322 connects to the network through peer node 334 . Peer node 334 obtains user registration and transaction credentials from certificate authority 336 before initiating any transactions. In some cases, blockchain users must possess their digital certificates in order to conduct transactions on permissioned blockchain 324 . On the other hand, users seeking to utilize chaincode may need to verify their credentials on the legacy data source 332 . To verify user authorization, chaincode can use an out-of-band connection to this data via conventional processing platform 338 .

In some embodiments, the blockchain herein may be a permissionless blockchain. Anyone can participate in a permissionless blockchain, as opposed to a permissioned blockchain, which requires permission to participate. For example, a user may initiate interaction with the network by creating a personal address and submitting a transaction, thus adding an entry to the ledger, to participate in a permissionless blockchain. Additionally, all parties may choose to run nodes on the system and employ mining protocols to help validate transactions.

FIG. 3C shows a process 350 of transactions being processed by a permissionless blockchain 352 that includes multiple nodes 354 . Sender 356 sends payments or other forms of value (e.g., deeds, medical records, contracts, goods, services, or any other asset that may be encapsulated in a digital record) via permissionless blockchain 352 . to the receiver 358. In one embodiment, sending device 356 and receiving device 358 may each have a digital wallet (associated with blockchain 352) that provides user interface control and display of transaction parameters. In response, the transaction is broadcast to nodes 354 across blockchain 352 . Depending on the network parameters of blockchain 352, nodes validate transactions based on rules (which may be predefined or dynamically assigned) established by the creator of permissionless blockchain 352 (360). For example, this verification may include verifying the identities of the parties involved, and the like. The transaction may be verified immediately, or the transaction may be placed in a queue with other transactions, and node 354 determines whether the transaction is valid based on a set of network rules.

Within structure 362, valid transactions are formed into blocks and sealed using a lock (hash). This process may be performed between nodes 354 by mining nodes. Mining nodes may utilize additional software to, among other things, mine and create blocks of permissionless blockchain 352 . Each block may be identified by a hash (eg, a 256-bit number, etc.) created using an algorithm agreed upon by the network. Each block may contain a header, a pointer or reference to the hash of the header of the previous block in the chain, and a group of valid transactions. A reference to the hash of the previous block is associated with creating a secure independent chain of blocks.

Blocks must be validated before they can be added to the blockchain. Validation of permissionless blockchain 352 may include proof of work (PoW), which is the solution to the puzzle derived from the block's header. Although not shown in the example of FIG. 3C, another process for block validation is proof of stake. Unlike Proof of Work, where algorithms reward miners for solving math problems, Proof of Stake determines the creator of new blocks according to their wealth (also defined as “stake”). selected in a systematic way. A similar proof is then performed by the selected node.

At mining 364, the node attempts to solve the block by making incremental changes to one variable until the solution meets the network-wide target. This creates a PoW, thereby ensuring correct answers. In other words, a possible solution must prove that computational resources were exhausted in solving the problem. In some types of permissionless blockchains, miners may be given a value (e.g., coins) as a reward for successfully mining a block.

Here, the PoW process, along with block modification, makes blockchain modification extremely difficult, as an attacker must modify all subsequent blocks in order to accept the modification of one block. Moreover, as new blocks are mined, the difficulty of changing blocks increases, increasing the number of subsequent blocks. At distribution 366, the successfully validated block is distributed throughout permissionless blockchain 352, and all nodes 354 place the block on the majority chain, the auditable ledger of permissionless blockchain 352. (majority chain). Additionally, the value in the transaction submitted by the sender 356 is deposited or otherwise transferred to the digital wallet of the receiver device 358 .

FIG. 4A shows a flow diagram 400 of an exemplary method for inter-network identity provisioning in a blockchain network, according to an example embodiment. Referring to FIG. 4A, method 400 may include one or more of the steps described below.

FIG. 4A shows a flow chart of an exemplary method performed by identity provisioning node 102 (see FIG. 1). 4A may include additional acts, and some of the acts described herein may be removed or modified, without departing from the scope of method 400. or both may be implemented. The description of method 400 will also refer to features illustrated in FIG. 1 for purposes of illustration. In particular, processor 104 of identity provisioning node 102 may perform some or all of the operations included in method 400 .

Referring to FIG. 4, at block 412 processor 104 may connect Blockchain 1 to Blockchain 2 . At block 414, the processor 104 may create an Interoperable Identity Network (IIN) for Blockchain 1 and Blockchain 2 as an instance of a Self-Sovereign Identity (SSI) network. At block 416, the processor 104 executes the smart contract to invoke the IIN access control policy and map the attributes and permissions of blockchain 1 to the attributes and permissions of blockchain 2 based on the IIN access control policy. and generating valid and verifiable credentials (VCs) for the IINs in Blockchain 1 and Blockchain 2 based on the mapped attributes and permissions.

FIG. 4B shows an example method flow diagram 450 in accordance with an example embodiment. Referring to FIG. 4B, method 450 may include one or more of the following steps. At block 452, processor 104 executes smart contracts and applies IIN access control policies to identify entities of blockchain 1 that are allowed to connect to blockchain 2 and invoke functions of blockchain 2. can be defined. At block 454, the processor 104 may execute the smart contract to verify the VCs of the IINs in Blockchain 1 and Blockchain 2 based on the SSI network's DID. At block 456, the processor 104 may use the IIN for inter-network identity provisioning of multiple blockchain networks. At block 458, the processor 104 may execute the smart contract to verify the verifiable presentation's identity and permissions against the IIN access control policy. Note that SSI networks may be configured to store distributed identifiers (DIDs) between networks. An SSI network may include an IIN-specific schema that defines the structure of the associated DID document.

FIG. 5A illustrates an example system 500 including a physical infrastructure 510 configured to perform various operations according to example embodiments. Referring to FIG. 5A, physical infrastructure 510 includes module 512 and module 514 . Module 514 implements blockchain 520 and smart contract 530 (which may reside on blockchain 520), which may perform any of the operational steps 508 (within module 512) included in any of the example embodiments. contains. Steps/acts 508 may comprise one or more of the described or illustrated embodiments and may be written from one or more smart contracts 530 and/or blockchain 520. , or may represent information that is read, output, or written. Physical infrastructure 510, modules 512, and modules 514 may include one or more computers, servers, processors, memory, or wireless communication devices, or combinations thereof. Additionally, module 512 and module 514 may be the same module.

FIG. 5B illustrates another example system 540 configured to perform various operations according to example embodiments. Referring to FIG. 5B, system 540 includes modules 512 and 514 . Module 514 implements blockchain 520 and smart contract 530 (which may reside on blockchain 520), which may perform any of the operational steps 508 (within module 512) included in any of the example embodiments. contains. Steps/acts 508 may comprise one or more of the described or illustrated embodiments and may be written from one or more smart contracts 530 and/or blockchain 520. , or may represent information that is read, output, or written. Modules 512 and 514 may include one or more computers, servers, processors, memory, or wireless communication devices, or combinations thereof. Additionally, module 512 and module 514 may be the same module.

FIG. 5C is an illustration configured to utilize a smart contract configuration between contracting parties and an intermediary server configured to enforce the terms of the smart contract against a blockchain, in accordance with an example embodiment; system. Referring to FIG. 5C, configuration 550 may represent a communication session, an asset transfer session, or a process or procedure that explicitly identifies one or more user devices 552 and/or 556 as smart devices. - Operated by contract 530; The execution, actions, and results of smart contract execution may be managed by server 554 . The contents of smart contract 530 may require digital signature by one or more of entities 552 and 556 that are parties to the smart contract transaction. The result of smart contract execution may be written to blockchain 520 as a blockchain transaction. Smart contract 530 resides in blockchain 520, which may reside in one or more computers, servers, processors, memories, or wireless communication devices, or combinations thereof.

FIG. 5D shows a system 560 including a blockchain, according to an example embodiment. Referring to the example of FIG. 5D, an application programming interface (API) gateway 562 accesses blockchain logic (e.g., smart contract 530 or other chaincode) and data (e.g., distributed ledger, etc.). provides a common interface for In this example, API gateway 562 connects one or more entities 552 and 556 to blockchain peers (i.e., server 554) to perform transactions (calls, queries, etc.) against the blockchain. is a common interface for Here, server 554 is a peer component of the blockchain network that holds copies of the world state and distributed ledger that clients 552 and 556 can query for data about world state and execute transactions. It enables submission to the blockchain network, and depending on the smart contract 530 and the signing policy, the signing peer executes the smart contract 530 .

The above-described embodiments may be implemented in hardware, in a computer program executed by a processor, in firmware, or in combinations thereof. A computer program may be embodied in a computer readable medium such as a storage medium. For example, a computer program may be stored in random access memory (RAM), flash memory, read-only memory (ROM), erasable programmable read-only memory (EPROM), memory), electrically erasable programmable read-only memory (EEPROM), registers, hard disk, removable disk, compact disk read-only memory (CD-ROM) memory), or any other form of storage medium known in the art.

An exemplary storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral with the processor. The processor and storage medium may reside in an application specific integrated circuit (ASIC). Alternatively, the processor and storage medium may exist as separate components.

FIG. 6A shows the process 600 of a new block being added to a distributed ledger 620, according to an example embodiment, and FIG. 6B shows the contents of a new data block structure 630 for a blockchain, according to an example embodiment. ing. The new data block structure 630 may contain a mapping of blockchain 1 and 2 attributes and permissions. Referring to FIG. 6A, a client (not shown) may submit transactions to blockchain nodes 611, 612, or 613, or a combination thereof. A client may be instructions received from any source to specify an activity on blockchain 620 . By way of example, a client may be an application acting on behalf of a requestor, such as a device, person, or entity that proposes a blockchain transaction. Multiple blockchain peers (eg, blockchain nodes 611 , 612 , and 613 ) may maintain copies of the state of the blockchain network and distributed ledger 620 . Different types of blocks, including signing peers that simulate and sign transactions proposed by clients, and commit peers that verify signatures, validate transactions, and commit transactions to distributed ledger 620 Chain nodes/peers may exist within a blockchain network. In this example, blockchain nodes 611, 612, and 613 may perform the roles of signer nodes, committer nodes, or both.

Distributed ledger 620 includes a blockchain that stores immutable ordered records in blocks, and a state database 624 (current world state) that maintains the current state of blockchain 622 . There may be one distributed ledger 620 per channel, with each peer maintaining its own copy of the distributed ledger 620 for each channel of which the peer is a member. Blockchain 622 is a transaction log structured as hash-linked blocks, each block containing a sequence of N transactions. A block may include various components, such as the components shown in FIG. 6B. Block links (indicated by arrows in FIG. 6A) may be generated by adding a hash of the previous block's header into the block header of the current block. In this way, all transactions on the blockchain 622 are ordered and cryptographically linked together to prevent tampering with the blockchain data without breaking the hash link. Furthermore, because of these links, the most recent block in blockchain 622 represents all the transactions that came before it. Blockchain 622 may be stored in a peer's file system (local or attached storage) that supports append-only blockchain workloads.

The current state of blockchain 622 and distributed ledger 620 may be stored in state database 624 . Here, current state data represents the latest values of all keys ever contained in the chain transaction log of blockchain 622 . A chaincode call executes a transaction against the current state in state database 624 . The latest values of all keys are stored in the state database 624 to make their chaincode interaction very efficient. State database 624 may contain an indexed view into the transaction log of blockchain 622, and thus can be regenerated from the chain at any time. The state database 624 may be automatically restored (or generated if necessary) at peer startup and before transactions are received.

A signing node receives transactions from clients and signs the transactions based on simulation results. Signing nodes hold smart contracts that simulate transaction proposals. When a signing node signs a transaction, the signing node generates a transaction signature, which is a signed response from the signing node to the client application that represents the simulated signature of the transaction. How a transaction is signed is determined by a signing policy that may be specified within the chaincode. An example of a signing policy is "Most of the signing peers must sign the transaction". Different channels may have different signing policies. The signed transaction is forwarded to ordering service 610 by the client application.

The ordering service 610 receives signed transactions, orders them into blocks, and delivers the blocks to commit peers. For example, the ordering service 610 may initiate a new block if a transaction threshold is reached, a timer times out, or another condition. In the example of FIG. 6A, blockchain node 612 is a commit peer that has received a new data block 630 of new data for storage on blockchain 620 . A first block in a blockchain may be referred to as a genesis block, which contains information about the blockchain, members of the blockchain, stored data, and so on.

The ordering service 610 may consist of a cluster of ordering nodes. The ordering service 610 does not process transactions, smart contracts, or maintain a shared ledger. Rather, ordering service 610 may receive signed transactions and specify the order in which those transactions are committed to distributed ledger 620 . The architecture of the blockchain network may be designed such that specific implementations of "ordering" (eg, Solo, Kafka, BFT, etc.) are pluggable components.

Transactions are written to distributed ledger 620 in a consistent order. Transaction ordering is established to ensure that updates to state database 624 are valid when transactions are committed to the network. Unlike cryptocurrency blockchain systems (e.g., Bitcoin, etc.) where ordering occurs by solving cryptographic puzzles or mining, in this example, the participants in the distributed ledger 620 choose the ordering mechanism that best suits their network. can be selected.

The ordering service 610 initializes a new data block 630, which may be broadcast to commit peers (eg, blockchain nodes 611, 612, and 613). In response, each commit peer validates the transaction in new data block 630 by checking to ensure that the read set and write set still match the current world state in state database 624 . to confirm. In particular, the commit peer can determine whether the read data that existed when the signer simulated the transaction is identical to the current world state in state database 624 . If the commit peer validates the transaction, the transaction is written to blockchain 622 of distributed ledger 620 and state database 624 is updated with the write data from the read/write set. If a transaction fails, i.e., if a commit peer detects that the read/write set does not match the current world state in state database 624, transactions ordered within a block will still be allowed to enter that block. It is included but marked as invalid and the state database 624 is not updated.

6B, a new data block 630 (also called a data block) stored on blockchain 622 of distributed ledger 620 includes block header 640, block data 650, and block metadata 660. , may contain multiple data segments. It should be noted that the various illustrated blocks and their contents, such as the new data block 630 and its contents illustrated in FIG. 6B, are examples only and are not intended to limit the scope of example embodiments. , should be understood. New data block 630 may store transaction information for N (eg, 1, 10, 100, 500, 1000, 2000, 3000, etc.) transactions in block data 650 . New data block 630 may include a link to a previous block (eg, on blockchain 622 of FIG. 6A) within block header 640 . In particular, block header 640 may contain a hash of the previous block's header. Block header 640 may include a unique block number for new data block 630, a hash of block data 650, and the like. Block numbers for new data blocks 630 are unique and may be assigned in various orders, such as progressive/consecutive order starting at 0.

Block data 650 may store transaction information for each transaction recorded in new data block 630 . For example, transaction data includes transaction type, version, timestamp, distributed ledger 620 channel ID, transaction ID, epoch, payload visibility, chaincode path (transaction deployment), chaincode name, chaincode version, inputs (chaincode and functions), client (creator) identity such as public key and certificate, client signature, signer identity, signer signature, proposal hash, chaincode event, response state, namespace, write set (such as the list of keys and versions read by the transaction), write set (such as the list of keys and values), start key, end key, list of keys, merkle tree query It may include one or more of a summary (Merkle tree query summary) and the like. Transaction data may be stored in each of the N transactions.

In some embodiments, block data 650 may store new data 662 that adds additional information to the hashlinked chain of blocks in blockchain 622 . The additional information may include one or more of the steps, features, processes, or actions described or illustrated herein, or any combination thereof. In response, new data 662 may be stored in an immutable log of blocks on distributed ledger 620 . Some of the advantages of storing such new data 662 are reflected in the various embodiments disclosed and illustrated herein. New data 662 is shown in block data 650 in FIG. 6B, but could also be in block header 640 or block metadata 660 . The new data 662 may include mappings of blockchain 1 and 2 attributes and permissions.

Block metadata 660 may store multiple fields of metadata (eg, as a byte array, etc.). Metadata fields include the signature at block creation time, a reference to the last constituent block, a transaction filter that identifies valid and invalid transactions within the block, and the persistent last offset of the ordering service that ordered the block. and so on. The signature, final building block, and ordering node metadata may be added by the ordering service 610 . On the other hand, a committer of a block (such as blockchain node 612) may add valid/invalid information based on signature policy, read/write set verification, and the like. A transaction filter may include a byte array of size equal to the number of transactions in block data 650 and a validation code that identifies whether the transaction was valid/invalid.

FIG. 6C shows an embodiment of a blockchain 670 for digital content according to embodiments described herein. Digital content may include one or more files and associated information. These files may include media, images, video, audio, text, links, graphics, animations, web pages, documents, or other forms of digital content. Blockchain's immutable, append-only characteristics serve as a safeguard to protect the integrity, validity, and reliability of digital content, in legal proceedings where admissibility rules apply, or in evidence. Appropriate use of blockchain in other settings where is considered or the presentation and use of digital information is otherwise targeted. In this case, the digital content is sometimes called digital evidence.

Blockchains may be formed in a variety of ways. In one embodiment, the digital content may be contained on and accessed from the blockchain itself. For example, each block of a blockchain may store a hash value of reference information (eg, headers, values, etc.) along with associated digital content. The hash value and associated digital content may then be encrypted together. Accordingly, the digital content of each block may be accessed by decrypting each block in the blockchain, and the hash value of each block may be used as a basis for referencing previous blocks.

This may be shown as follows.
Block 1 Block 2 ..... Block N
Hash value 1 Hash value 2 Hash value N
Digital content 1 Digital content 2 Digital content N

In one embodiment, digital content may not be included on the blockchain. For example, a blockchain may store an encrypted hash of the contents of each block that does not contain digital content. Digital content may be stored in a separate storage area or memory address in association with the hash value of the original file. The other storage area may be the same storage device as the storage device used to store the blockchain, or it may be a different storage area or a separate relational database. Each block of digital content is obtained by obtaining or querying the hash value of the block in question and then searching in the storage area for the hash value stored corresponding to the actual digital content. may be referenced or accessed. This operation may be performed, for example, by a database gatekeeper. This may be shown as follows.
Blockchain storage area
Hash value of block 1 Hash value of block 1. . . Hash value of content block N Hash value of block N . . . content

In the example embodiment of FIG. 6C, the blockchain 670 comprises a plurality of blocks 678 ₁ , 678 ₂ , . . . 678 _N , where N≧1. Blocks 678 ₁ , 678 ₂ , . . . The encryption used to link the 678 _N can be either multiple keyed hash functions or keyless hash functions. In one embodiment, blocks 678 ₁ , 678 ₂ , . . . 678 _N is subjected to a hash function that produces an n-bit alphanumeric output from the input based on the information in the block (where n is 256 or another number). Examples of such hash functions include SHA-type (SHA stands for Secured Hash Algorithm) algorithm, Merkle-Dangard algorithm, HAIFA algorithm, Merkle tree algorithm, nonce-based algorithm , and non-collision tolerant PRF algorithms. In another embodiment, blocks 678 ₁ , 678 ₂ , . . . 678 _N may be cryptographically linked by a function different than the hash function. For purposes of illustration, the following discussion will be made with reference to hash functions (eg, SHA-2).

Blocks 678 ₁ , 678 ₂ , . . . 678 _N contains a header, a file version, and a value. Headers and values differ from block to block as a result of hashing within the blockchain. In one embodiment, the value may be included in the header. As explained in more detail below, the version of the file may be the original file or a different version of the original file.

The first block 678 ₁ in the blockchain is called the genesis block and contains the header 672 ₁ , the original file 674 ₁ and the initial value 676 ₁ . The hashing scheme used for the genesis block (and indeed for all subsequent blocks) may vary. For example, all of the information in the first block 678 ₁ may be hashed together at the same time, or each or part of the information in the first block 678 ₁ may be hashed separately and then the hashed parts separately. A hash may be performed.

Header 672 ₁ may include one or more initial parameters, such as version number, timestamp, nonce, route information, difficulty level, agreement protocol, duration, media format, source, descriptive keywords. , or other information associated with the original file 674 ₁ and/or blockchain, or a combination thereof. Header 672 ₁ may be generated automatically (eg, by blockchain network management software) or manually by a participant in the blockchain. Unlike the headers in the other blocks 678 ₂ - 678 _N in the blockchain, the header 672 ₁ in the genesis block does not refer to the previous block simply because there is no previous block.

The original file 674 ₁ in the genesis block may be, for example, data captured by the device, with or without processing prior to inclusion in the blockchain. The original file 674 ₁ is received from a device, media source, or node through the system's interface. The original file 674 ₁ is associated with metadata, which may be generated either manually or automatically by, for example, a user, device, and/or system processor. Metadata may be included in the first block 678 ₁ in relation to the original file 674 ₁ .

The values 676 ₁ in the genesis block are initial values generated based on one or more unique attributes of the original file 674 ₁ . In one embodiment, the one or more unique attributes may include a hash value of the original file _674-1 , metadata of the original file _674-1 , and other information associated with the file. In one implementation, the initial value 676 ₁ may be based on the following unique attributes.
1) A hash value computed over the original file by SHA-2 2) Originating Device ID
3) the start timestamp of the original file; 4) the initial storage location of the original file; 5) the blockchain network member ID of the software currently controlling the original file and associated metadata.

Other blocks 678 ₂ to 678 _N in the blockchain also contain headers, files and values. However, unlike the first block 672 ₁ , each of the headers 672 ₂ -672 _N in the other blocks contains the hash value of the immediately preceding block. The hash value of the previous block may simply be the hash of the header of the previous block, or it may be the hash value of the entire previous block. A block-by-block trace back from the Nth block to the genesis block (and associated original file), as indicated by arrow 680, by including the hash value of the preceding block in each of the remaining blocks. Establish an enforceable, auditable, and immutable evidence hold.

Each of the headers 672 ₂ - 672 _N within the other block typically contains other information (e.g., version number, timestamp, nonce, root information, difficulty level, consensus protocol, or corresponding file and/or blockchain). other parameters or information associated with (or combinations thereof).

Files 674 ₂ - 674 _N in other blocks may be the same as the original files in the genesis block, or may be modified versions of the original files, depending on, for example, the type of processing being performed. you can The type of processing performed may vary from block to block. Processing includes any changes in the file within the preceding block, such as, for example, editing or otherwise changing the content of information, removing information from a file, or adding information to a file. May contain changes.

Additionally or alternatively, the process may simply copy the file from a preceding block, change the storage location of the file, analyze the file from one or more preceding blocks, transfer the file to a storage or moving from a memory location to another storage or memory location, or performing an operation on a blockchain file and/or associated metadata. Processing that includes analyzing a file may include, for example, adding, including, or otherwise associating various analyses, statistics, or other information associated with the file.

The values contained in each of the other blocks 676 ₂ - 676 _N within the other blocks are unique values and are all different as a result of the processing performed. For example, the values in any one block correspond to updated versions of the values in the previous block. This update is reflected in the hash of the block to which the value was assigned. The value of a block therefore provides an indication of what processing was performed within the block, and also allows tracing the blockchain back to the original file. This trace confirms the integrity of the file throughout the blockchain.

For example, consider the case where a portion of the file in the previous block is edited, cut off, or pixelated to protect the identity of a person shown in the file. In this case, the block containing the edited file will contain metadata associated with the edited file, such as how the edit was performed, who performed the edit, and the timestamp at which the edit occurred. will contain data. This metadata may be hashed to form the value. The values are different from each other because the metadata of the block is different from the information hashed to form the value in the previous block, and may be recovered when decrypted.

In one embodiment, the value of the previous block may be updated to form the value of the current block when any one or more of the following occur (e.g., the new hash value is may be calculated). A new hash value, in this example embodiment, may be computed by hashing all or part of the information provided below.
a) a new SHA-2 when the file is manipulated in any way (e.g., when the file is edited, copied, modified, accessed, or some other action is performed); b) the new storage location of the file; c) the identified new metadata associated with the file; d) access or control of the file from one blockchain participant to another blockchain participant. movement of

FIG. 6D shows an embodiment of a block that can represent the structure of blocks within blockchain 690, according to one example embodiment. Block (block _i ) includes header 672 _i , file 674 _i , and value 676 _i .

Header 672 _i may be a hash value of the previous block (block _i−1 ) as described herein, and additional reference information (eg, reference, property, header information, including parameters, etc.). All blocks, with the exception of the genesis block of course, reference the hash of the previous block. The hash value of the previous block may simply be the hash of the headers in the previous block, or it may be the hash of all or part of the information in the previous block, including files and metadata.

File 674 _i contains data 1, data 2, . . . , data N, etc. in order. The data is organized into metadata 1, metadata 2, . . . , tagged with metadata N. For example, per-data metadata establishes the time stamp of the data, the process of the data, keywords indicating the person or other content shown in the data, or the validity and content of the file as a whole, and in particular, e.g. Information may be included to indicate other features, or combinations thereof, that may assist in using the digital evidence, as described in connection with the embodiments described below. In addition to metadata, each datum must have a reference to the previous datum ( _ref1 , _ref2 , ..., _refN ) to prevent tampering, gaps in the file, and continuous referencing of the entire file. May be tagged.

After metadata has been assigned to data (e.g., via a smart contract), metadata cannot be changed without changing the hash, and hash changes can be easily identified as invalid . Metadata thus creates a data log of information that may be accessed for use by participants within the blockchain.

Value 676 _i is a hash value or other value computed based on any of the types of information previously described. For example, for any particular block (block _i ), the value of that block is the operation performed on that block (e.g. new hash value, new storage location, new metadata for the associated file, control or access movements, identifiers, or other actions or additional information). Although the values within each block are shown to be separate from the file and header data metadata, in alternate embodiments the values may be based in part or in whole on this metadata. .

At some point after the blockchain 670 is formed, immutable evidence integrity of the file may be obtained by querying the blockchain for the transaction history of values across blocks. This interrogation or tracking procedure may start by decoding the value of the last included block (e.g. the last (Nth) block) before reaching the genesis block where the original file is Continue decoding other block values until recovered. Decoding may also include decoding the header and file and associated metadata at each block.

Decryption is performed based on the type of encryption performed on each block. This decryption may involve the use of a private key, a public key, or a public/private key pair. For example, if asymmetric cryptography is used, a blockchain participant or processor in the network may generate a public and private key pair using a predefined algorithm. Public and private keys are related to each other by some mathematical relationship. A public key may be publicly distributed to serve as an address (eg, IP address or home address) for receiving messages from other users. A private key is kept secret and is used to digitally sign messages sent to other blockchain participants. The signature is included in the message so that the recipient can verify it using the sender's public key. In this way, the recipient can be sure that only the sender could have sent this message.

Generating a key pair is similar to creating an account on the blockchain, but it doesn't actually need to be registered anywhere. Also, every transaction executed against the blockchain is digitally signed by the sender using a private key. This signature ensures that only the account owner can track and process files on the blockchain (within the permissions determined by the smart contract).

7A and 7B illustrate additional use cases for blockchain that may be incorporated and used herein. In particular, FIG. 7A shows an example 700 of a blockchain 710 storing machine learning (artificial intelligence) data. Machine learning relies on large amounts of historical data (or training data) to build predictive models for accurate predictions on new data. Machine learning software (eg, neural networks, etc.) can often sift through millions of records to discover non-intuitive patterns.

In the example of FIG. 7A, host platform 720 builds and deploys machine learning models for predictive monitoring of assets 730 . Here, the host platform 720 may be a cloud platform, industrial server, web server, personal computer, user device, and the like. Assets 730 can be any type of asset (eg, machinery or equipment, etc.) such as aircraft, locomotives, turbines, medical equipment, oil and gas equipment, boats, ships, vehicles, and the like. As another example, assets 730 may be intangible assets such as stocks, currencies, digital coins, insurance, and the like.

Blockchain 710 can be used to significantly improve both the machine learning model training process 702 and the prediction process 704 based on the trained machine learning model. For example, at 702, rather than requiring a data scientist/engineer or other user to collect the data, the asset 730 itself (or via an intermediary not shown), the blockchain 710 may be stored. This can significantly reduce the collection time required by the host platform 720 when performing predictive model training. For example, smart contracts can be used to transfer data straight, directly, and reliably from its original location to the blockchain 710 . Smart contracts transmit data directly from assets to individuals who use the data to build machine learning models, using blockchain 710 to ensure security and ownership of collected data can do. This allows sharing of data between assets 730 .

Collected data may be stored on blockchain 710 based on a consensus mechanism. The consensus mechanism controls (authorized nodes) to ensure that the data being recorded has been verified and is correct. The recorded data is time-stamped, cryptographically signed, and irreversible. The recorded data is therefore auditable, transparent and secure. Adding IoT devices that write directly to the blockchain can increase the frequency with which data is recorded and improve its accuracy in certain cases (i.e. supply chain, healthcare, logistics, etc.).

Additionally, training a machine learning model on collected data may require a series of refinements and tests by the host platform 720 . Each refinement and test may be based on additional or previously unconsidered data to help extend the knowledge of the machine learning model. At 702 , different training and testing steps (and associated data) may be stored on blockchain 710 by host platform 720 . Each refinement of the machine learning model (eg, changes in variables, weights, etc.) may be stored on blockchain 710 . This provides verifiable proof of how the model was trained and what data was used to train the model. Additionally, when the host platform 720 implements the final trained model, the resulting model may be stored on the blockchain 710 .

After a model is trained, it can be deployed into a live environment and predictions/decisions can be made based on the final trained machine learning model execution. For example, at 704, machine learning models may be used for condition-based maintenance (CBM) for assets such as aircraft, wind turbines, medical machines, and the like. In this example, data fed back from asset 730 is input into a machine learning model and may be used to make event predictions such as failure events, error codes, and the like. Decisions made by running machine learning models on host platform 720 may be stored on blockchain 710 to provide auditable/verifiable proof. As one non-limiting example, a machine learning model may predict a future outage/failure in a part of asset 730 and generate an alert or notification to replace that part. The data behind this decision may be stored on blockchain 710 by host platform 720 . In one embodiment, the features and/or operations described and/or shown herein may occur on or with respect to blockchain 710 .

New transactions on the blockchain can be aggregated together into new blocks and added to existing hash values. This hash value is then encrypted to generate a new hash for the new block. This new hash is added to the next list of transactions, such as when a transaction is encrypted. The result is a chain of blocks each containing the hash value of all preceding blocks. The computers storing these blocks periodically compare the hash values of the blocks to ensure that they all agree. All non-agreeing computers discard the offending record. This method is suitable for ensuring tamper-proofness of the blockchain, but it is not perfect.

One way to tamper with the system is for an unauthorized user to modify the list of transactions to his advantage in such a way that the hash does not change. This can be done by brute force attack, in other words by changing the record, encrypting the result and checking if the hash value is the same. If the hash values are not the same, try again and again until a matching hash is found. Blockchain security is based on the idea that ordinary computers can only perform this kind of brute force attack over a totally impractical time scale, such as the age of the universe. Quantum computers, on the other hand, are very fast (thousands of times faster) and therefore pose a much greater threat.

FIG. 7B shows an example 750 of a quantum secure blockchain 752 that implements quantum key distribution (QKD) to protect against quantum computing attacks. In this example, blockchain users can use QKD to verify each other's identities. This verification uses quantum particles, such as photons, to transmit information that cannot be copied by an eavesdropper without being destroyed. In this way, the sender and receiver can confirm each other's identity via the blockchain.

In the example of Figure 7B, there are four users (754, 756, 758, and 760). Each pair of users can share a private key 762 (ie, QKD) among themselves. Since there are four nodes in this example, there are six pairs of nodes and therefore six different private keys 762 including QKD _AB , QKD _AC , QKD _AD , QKD _BC , QKD _BD and QKD _CD . used. Each pair can create QKD by transmitting information using quantum particles such as photons, which cannot be copied by an eavesdropper without destruction. In this way, a pair of users can confirm each other's identity.

The operation of blockchain 752 is based on two procedures: (i) creation of transactions, and (ii) construction of blocks that collect new transactions. New transactions may be created as in traditional blockchain networks. Each transaction may contain information about the sender, the recipient, the time of creation, the amount (or value) transferred, a list of reference transactions that justify the sender having the funds for the operation, etc. . This transaction record is then sent to all other nodes and entered into a pool of unconfirmed transactions. Here, two parties (ie, the pair of users among 754-760) authenticate the transaction by providing a shared secret key 762 (QKD). This quantum signature is attached to every transaction and can make tampering extremely difficult. Each node checks the transaction's entry against its local copy of blockchain 752 to verify that each transaction has sufficient funds. However, the transaction has not yet been confirmed.

Rather than performing a conventional mining process on blocks, blocks may be created in a distributed manner using a broadcast protocol. For a predetermined period of time (e.g., seconds, minutes, hours, etc.), the network may apply a broadcast protocol to any unconfirmed transaction, thereby achieving Byzantine agreement on the correct version of the transaction. . For example, each node may own private values (transaction data for that particular node). The first time, nodes send private values to each other. The node then propagates information previously received from other nodes. A real node can now create a complete set of transactions in a new block. This new block can be added to blockchain 752 . In one embodiment, the features and/or operations described and/or shown herein may occur on or with respect to blockchain 752 .

FIG. 8 illustrates an exemplary system 800 that supports one or more of the example embodiments described and/or shown herein. System 800 includes a computer system/server 802 that is operational in numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, or configurations, or combinations thereof, that may be suitable for use with computer system/server 802 include personal computer systems, server computer systems, thin clients, thick Clients, handheld or laptop devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and these including, but not limited to, distributed cloud computing environments including any system or device of

Computer system/server 802 may be described in the general context of computer system-executable instructions, such as program modules, being executed by the computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. Computer system/server 802 may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

As shown in FIG. 8, computer systems/servers 802 within cloud computing node 800 are shown in the form of general-purpose computing devices. Components of computer system/server 802 may include one or more processors or processing units 804 , system memory 806 , and a bus coupling various system components including system memory 806 to processor 804 . but not limited to these.

A bus can be any of multiple types of buses, including memory buses or memory controllers, peripheral buses, accelerated graphics ports, and processors or local buses using any of a variety of bus architectures. Represents one or more of the structures. By way of example, such architectures include the ISA (Industry Standard Architecture) bus, the MCA (Micro Channel Architecture) bus, the EISA (Enhanced ISA) bus, the VESA (Video Electronics Standards Association) local bus, and the PCI (Peripheral Component Interconnects) bus. Including but not limited to buses.

Computer system/server 802 typically includes a variety of computer system readable media. Such media can be any available media that can be accessed by computer system/server 802 and includes both volatile and nonvolatile media, removable and non-removable media. System memory 806, in one embodiment, implements the flow diagrams of other figures. The system memory 806 can include computer system readable media in the form of volatile memory such as random access memory (RAM) 810 and/or cache memory 812 . Computer system/server 802 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, a storage system 814 can be provided to read from and write to non-removable, non-volatile magnetic media (not shown and commonly referred to as "hard drives"). Although not shown, a magnetic disk drive for reading from and writing to removable, non-volatile magnetic disks (e.g., "floppy disks") and CD-ROM, DVD-ROM, or other An optical disk drive can be provided for reading from and writing to removable, non-volatile optical disks, such as optical media in the US. In such examples, each may be connected to the bus by one or more data medium interfaces. As shown and described in detail below, memory 806 comprises at least one program module that comprises a series (eg, at least one) of program modules configured to perform the functions of various embodiments of the present application. may include one Program Product.

Programs/utilities 816 including a series (at least one) of program modules 818 may be stored in memory 806, for example, but not limited to, an operating system, one or more application programs, Other program modules and program data may also be stored. Each of the operating system, one or more application programs, other program modules, and program data, or any combination thereof, may include an implementation of a network environment. Program modules 818 generally perform the functions and/or methods of the various embodiments of the application described herein.

As will be appreciated by those skilled in the art, aspects of the present application may be embodied as a system, method, or computer program product. Accordingly, aspects of the present application may be in the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, microcode, etc.), or an embodiment combining software and hardware aspects. , all of which may be generally referred to herein as a "circuit," "module," or "system." Furthermore, the present application may take the form of a computer program product embodied in one or more computer-readable media having computer-readable program code embodied therein.

Computer system/server 802 also includes one or more external devices 820 such as a keyboard, pointing device, display 822, and one or more devices that enable a user to interact with computer system/server 802. It may also communicate with the device, or any device (eg, network card, modem, etc.), or combination thereof, that enables computer system/server 802 to communicate with one or more other computing devices. . Such communication may occur via I/O interface 824 . Further, computer system/server 802 may be connected to a local area network (LAN), a general wide area network (WAN), or a public network (eg, the Internet), or combinations thereof. can communicate with one or more networks of the network through network adapter 826 . As depicted, network adapter 826 communicates with other components of computer system/server 802 via a bus. Although not shown, it should be understood that other hardware and/or software components may be used with computer system/server 802 . Examples include, but are not limited to, microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archive storage systems.

While example embodiments of at least one of the systems, methods, and non-transitory computer-readable media are illustrated in the accompanying drawings and described in the foregoing detailed description, the present application is directed to the disclosed embodiments. It will be understood that numerous rearrangements, modifications and substitutions may be made as shown and defined by the following claims, without limitation. For example, the functions of the systems in various figures can be performed by one or more of the modules or components described herein, or in a distributed architecture, with transmitters, receivers, or both May contain pairs. For example, all or part of the functionality performed by individual modules may be performed by one or more of those modules. Moreover, the functions described herein may be performed inside or outside of the module or component at different times and for different events. Also, information sent between the various modules may be sent over at least one of a data network, the Internet, a voice network, an Internet Protocol network, a wireless device, a wired device, or over multiple protocols. can be sent between modules, either via a network, or a combination thereof. Also, messages sent or received by any of the modules may be sent or received either directly or via one or more of the other modules, or both.

Those skilled in the art will define a "system" as a personal computer, server, console, PDA (personal digital assistant), cell phone, tablet computing device, smart phone, or any other suitable computing device or device. It will be appreciated that it can be embodied as a combination of Presenting the aforementioned functionality being performed by a "system" is in no way intended to limit the scope of this application, but is intended to provide an example of one of many embodiments. there is Indeed, the methods, systems, and apparatus disclosed herein may be implemented in a localized, distributed fashion consistent with computing technology.

It should be noted that some of the features of the systems described herein have been presented as modules, particularly to more emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom very large-scale integration (VLSI) circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. you can A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices, graphics processing units or the like.

Modules may also be implemented at least partially in software for execution by various types of processors. An identified unit of executable code may, for example, comprise one or more physical or logical blocks of computer instructions which may, for example, be organized as an object, procedure, or function. Nevertheless, the executables of the identified modules need not be physically co-located, but may contain disparate instructions stored in different locations that are logically co-located. When combined, it comprises a module and accomplishes the defined purpose of the module. Additionally, the modules may be stored on a computer readable medium, such as a hard disk drive, flash device, random access memory (RAM), tape, or used for data storage. It can be any other medium.

In practice, a module of executable code can be a single instruction or many instructions, distributed across multiple different code segments, between different programs and across multiple memory devices. may be Similarly, operational data may be identified and represented herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. Manipulable data may be collected as a single data set, or may be distributed across different locations, including different storage devices, and exist at least partially as mere electronic signals on a system or network. you can

It will be readily understood that the components of the present application may be arranged and designed in a wide variety of different configurations, as schematically described and shown in the figures herein. Accordingly, the detailed description of the embodiments is not intended to limit the scope of the claimed application, but merely represents selected embodiments of the application.

One of ordinary skill in the art would be able to implement the foregoing using steps in a different order than that disclosed and/or using hardware elements that differ from those in the disclosed arrangements. It will be easy to see that it is possible to practice Thus, while the present application has been described with reference to these preferred embodiments, it will be apparent to those skilled in the art that certain modifications, variations, and alternative constructions will be apparent.

Although preferred embodiments of the present application have been described, the described embodiments are examples only, and the full scope of equivalents and modifications to those embodiments (e.g., protocol, hardware, etc.) device, software platform, etc.), the scope of the present application should be defined solely by the appended claims.

Claims (20)

a processor;
and a memory in which machine-readable instructions are stored, the machine-readable instructions, when executed by the processor, causing the processor to:
connecting blockchain 1 to blockchain 2;
creating an Interoperable Identity Network (IIN) for said Blockchain 1 and said Blockchain 2 as an instance of a Self-Sovereign Identity (SSI) network;
Run your smart contract to
Invoke the IIN access control policy,
mapping the attributes and permissions of the blockchain 1 to the attributes and permissions of the blockchain 2 based on the IIN access control policy;
and generating valid and verifiable credentials (VCs) of said IINs in said blockchain 1 and said blockchain 2 based on said mapped attributes and said permissions. 2. The system of claim 1, wherein the SSI network is configured to store an inter-network distributed identifier (DID). 2. The system of claim 1, wherein the SSI network includes an INN-specific schema that defines the structure of associated DID documents. The instructions instruct the processor to execute the smart contract and apply the IIN access control policy to the block authorized to connect to the blockchain 2 and invoke functions of the blockchain 2. 2. The system of claim 1, further causing defining an entity of Chain 1 to be performed. The instructions further cause the processor to execute the smart contract and verify the VCs of the IINs in the blockchain 1 and the blockchain 2 based on the DIDs of the SSI network. , the system of claim 1. 2. The system of claim 1, wherein the instructions further cause the processor to use the IIN for inter-network identity provisioning of multiple blockchain networks. 2. The system of claim 1, wherein the instructions further cause the processor to execute the smart contract and verify identities and permissions of verifiable presentations against the IIN access control policy. connecting blockchain 1 to blockchain 2 by an identity provisioning node;
creating, by an Identity Provisioning Node, an Interoperable Identity Network (IIN) for said Blockchain 1 and said Blockchain 2 as an instance of a Self-Sovereign Identity (SSI) network;
Run your smart contract to
Invoke the IIN access control policy,
mapping the attributes and permissions of the blockchain 1 to the attributes and permissions of the blockchain 2 based on the IIN access control policy;
and generating valid and verifiable credentials (VCs) for the IINs in the blockchain 1 and the blockchain 2 based on the mapped attributes and the permissions. 9. The method of claim 8, wherein the SSI network is configured to store an inter-network distributed identifier (DID). 9. The method of claim 8, wherein the SSI network includes an INN-specific schema that defines the structure of associated DID documents. Executing the smart contract and applying the IIN access control policy to define entities of the blockchain 1 that are allowed to connect to the blockchain 2 and invoke functions of the blockchain 2 . 9. The method of claim 8, further comprising: 9. The method of claim 8, further comprising executing the smart contract and verifying the VCs of the IINs in the blockchain 1 and the blockchain 2 based on the DIDs of the SSI network. Method. 9. The method of claim 8, further comprising using the IIN for inter-network identity provisioning of multiple blockchain networks. 9. The method of claim 8, further comprising executing the smart contract and verifying identities and permissions of verifiable presentations against the IIN access control policy. A non-transitory computer-readable medium containing instructions that, when read by a processor, cause the processor to:
connecting blockchain 1 to blockchain 2;
creating an Interoperable Identity Network (IIN) for said Blockchain 1 and said Blockchain 2 as an instance of a Self-Sovereign Identity (SSI) network;
Run your smart contract to
Invoke the IIN access control policy,
mapping the attributes and permissions of the blockchain 1 to the attributes and permissions of the blockchain 2 based on the IIN access control policy;
generating valid and verifiable credentials (VCs) for said IINs in said Blockchain 1 and said Blockchain 2 based on said mapped attributes and said permissions. readable medium. 16. The non-transitory computer-readable medium of claim 15, wherein the SSI network is configured to store an inter-network distributed identifier (DID). further comprising instructions, which, when read by the processor, cause the processor to execute the smart contract, apply the IIN access control policy, and connect to the blockchain 2; 16. The non-transitory computer-readable medium of claim 15, causing defining entities of said Blockchain 1 that are permitted to invoke functions of Blockchain 2. further comprising instructions, which when read by the processor, cause the processor to execute the smart contract, within the blockchain 1 and within the blockchain 2 based on the DID of the SSI network 16. The non-transitory computer-readable medium of claim 15, causing verification of the VC of the IIN of . 16. The method of claim 15, further comprising instructions that, when read by the processor, cause the processor to perform using the IIN for identity provisioning between networks of a plurality of blockchain networks. The non-transitory computer-readable medium described. further comprising instructions that, when read by the processor, cause the processor to execute the smart contract and verify identities and permissions of verifiable presentations against the IIN access control policy. 16. The non-transitory computer readable medium of claim 15, causing:

Images